My DNS system is not working with Let's Encrypt

We’re small company, that provides: register, dns, web-hosting etc.
We have multiple problem with validation our domain with, lets encrypt, problem is in our DNS system, but we don’t know where.
Letsencrypt server give us cryptic answer and we don’t know where error.

My domain is: hbz.pl (including subdomains), i tested on: newtest1.hbz.pl (w/o www.)

I ran this command (this problem persist in FreeSSL (command line), acme.sh, certbot

It produced this outputs (one of two):

  • DNS problem: SERVFAIL looking up CAA for hbz.pl - the domain’s nameservers may be malfunctioning.
  • DNS problem: SERVFAIL looking up A for newtest1.hbz.pl- the domain’s nameservers may be malfunctioning.
    Also there is similar problem with DNS validation

My web server is (include version): multiple, don’t depend.
The operating systems my web server runs on windows (le32), linux - multiple versions.

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: sometimes shell root (le32,acme.sh), sometimes ISPConfig

What i tested:

https://check-your-website.server-daten.de/?q=hbz.pl
https://check-your-website.server-daten.de/?q=newtest1.hbz.pl

  • there is no errors in DNSs.
    Also i tested

dnsperf.exe -l 30 -d hbz.dns.input -s hbz.hbz.com.pl (and other servers)
File contents:
hbz.pl A
hbz.pl CAA
I got average 8k answer per second with less then 0.1% fail.
Also “DiG” ( dig caa hbz.pl @ns4.hbz.pl) give me right answer.

But after several (3-8) tries we validate domain successfuly.

1 Like

Hi @msokolowskihbz

there

is your critical error:

X Fatal error: Nameserver doesn’t support echo capitalization. That’s critical if you want to create Letsencrypt certificates. Read https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 (2008). If a dns client asks “ExAmPlE.cOm”, the name server must answer with the same name, not with “example.com”. Creating Letsencrypt certificates isn’t possible. Your name server provider must update the software.: ns4.hbz.pl / 83.144.85.62

Your name server must support echo capitalization.

And that

X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns4.hbz.pl

may be critical too.

PS: Your CAA entries

2020-06-03.newtest1.hbz.pl

are curious. letsencrypt.org is correct, letsencrypt is wrong. 261 is unknown, 5 is ok. So remove the second entry and change the first entry.

3 Likes

Ok, i updated dns server (powerdns 4.2) on ns4.hbz.pl - but i still have problems and strange behavior:

In first test everything is OK, but in second i got error on this same DNS (ns4).
It’s very strange because it’s running the same software that ns5.hbz.pl and identical config file.

Can You offer me some more help ?

Looks like a wrong caching.

See the query with upper and lowercase.

There the answer is long and with lower cases (wrong).

:~$ dig A NewTest1.hBz.Pl. @83.144.85.62

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> A NewTest1.hBz.Pl. @83.144.85.62
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53973
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;newtest1.hbz.pl. IN A

;; ANSWER SECTION:
newtest1.hbz.pl. 3599 IN A 194.181.59.15

;; AUTHORITY SECTION:
hbz.pl. 85835 IN NS hbz.hbz.com.pl.
hbz.pl. 85835 IN NS ns4.hbz.pl.
hbz.pl. 85835 IN NS ns5.hbz.pl.
hbz.pl. 85835 IN NS freebsd.hbz.pl.

;; ADDITIONAL SECTION:
hbz.hbz.com.pl. 24156 IN A 194.181.59.17
ns4.hbz.pl. 71301 IN A 83.144.85.62
ns5.hbz.pl. 313 IN A 80.211.200.96
freebsd.hbz.pl. 358 IN A 194.181.59.20

;; Query time: 2092 msec
;; SERVER: 83.144.85.62#53(83.144.85.62)
;; WHEN: Thu Jun 04 15:29:56 CEST 2020
;; MSG SIZE rcvd: 197

There (seconds later)

:~$ dig A NewTest1.hBz.Pl. @83.144.85.62

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> A NewTest1.hBz.Pl. @83.144.85.62
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13035
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;NewTest1.hBz.Pl. IN A

;; ANSWER SECTION:
NewTest1.hBz.Pl. 3600 IN A 194.181.59.15

;; Query time: 55 msec
;; SERVER: 83.144.85.62#53(83.144.85.62)
;; WHEN: Thu Jun 04 15:31:43 CEST 2020
;; MSG SIZE rcvd: 60

the answer is short and correct - query = answer.

Using the same ip address -->> two different answers.

Looks like your name server has some wrong caching. Answers the cache, it’s wrong. Answers the software directly, it’s good.

But I don’t run my own name server software, so I’m not firm with these configurations.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.